MY GDPR STATEMENT OF COMPLIANCE
I have read the Information Commissioner’s Office guidelines for compliance with the new General Data Protection Regulation (GDPR) rules. This document that follows explains how I comply. If you have given me your email address (by emailing me, or commenting on my website, for example) you should read this to reassure yourself that I am looking after your data responsibly.
Based on the 12 steps to take in the ICO booklet, ‘Preparing for the General Data Protection Regulation – 12 Steps to Take Now’, here are my answers.
I am a sole trader so there is no one else in my organisation to make aware.
- The information I hold:
- Email addresses of people who have emailed me and to whom I have replied: automatically saved in iCloud, protected by a strong password and 2-factor authentication.
- Email addresses of readers who have commented on my website: stored on WordPress protected by a strong password.
I do not ‘process’ or share this information with anyone, except with the explicit permission of the person in question. I never aggregate or sell it.
- Communicating privacy information
I have a note on the Contact page of my website, with a link to this information.
- Individuals’ rights
On request, I will delete personal information (contact details and any other relevant information) held by me.
If someone asked to see their data, I would take a screenshot of their entry/entries.
- Subject access requests
I aim to respond to all requests within 48 hours.
- Lawful basis for processing data
I do not ‘process’ data. I hold contact details so that I can reply, and that is all.
As I only reply on an individual basis to people who have contacted me, and do not use their personal details in any other way, I regard this as consent.
Young people sometimes email me but I do not know their age unless they tell me – and I only have their word for that. Since I am not “processing” their data, I am not required to ask for parental consent. I reply to the email and do not contact them again.
- Data breaches
I have done everything I can to prevent these, by strongly password-protecting my computer, WordPress and Blacknight accounts. If either of those organisations were compromised I would take steps to follow their advice immediately.
- Data Protection by Design and Data Protection Impact Assessments
I have familiarised myself with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and believe that I am using best practice.
- Data Protection Officers
As a sole trader, I do not have a DPO.
My lead data protection supervisory authority is the UK’s ICO.
As an ex-lobbyist, I observe that authors and other sole traders with small websites could have been better represented during the drafting of the GDPR regulations, but they weren’t, so here we are. I have always tried to respect your privacy and look after your data, as I hope you would for me.